Hackable Government and Educational Websites - what were they thinking..?

Recently I got  an email saying that 855 crores of money is spent on ministers who do nothing (except for fighting forI don't blame any one for this,its natural if you find a vulnerability in a website, you will be especially tempted to exploit it power that is) and much of it is true. Government is taking lone from UN for its concerns and precious resources are  wasted on old whimpering scrooges who rule the holy land. No..I m not pissed off much. not much, but what really pisses me off is the quality of government websites in India. Tell me any .gov.in portal which is secure and I will stop blogging. There has been quite a peculiar scenario going on with the security scene in India. A cyber coldwar is going on with Pakistan and China as of now with defacing going on from both sides with no sweat and concerns. I don't blame any one for this,its natural if you find a vulnerability in a website (or in general,anything), you will be especially tempted to exploit it. What concerns me that the websites of government officials, bollywood stars, educational websites are quite hackable and NOONE is concerned about them. Then there comes media paparazzi and the spiced up news channels exaggerating everything to himalayan proportions. And then every script kiddie becomes a hacker, not by his hack, but by the media.

Disclaimer - 
I HAVE NOT HACKED ANY OF THE SITES AND THE DATABASE,JUST TESTED THEM FOR VULNERABILITIES. I TESTED THEM AND FOUND ERRORS WHICH MAY/MAY NOT BE DISCLOSED HERE AND IN NO WAY ANY ONE CAN SUE ME FOR THIS AS I DID AND MEANT NO HARM TO THE DATA OF CONCERNED ORGANIZATIONS.BY READING THIS ARTICLE YOU AGREE WITH THE DISCLAIMER.
IF YOU AGREE WITH THIS AGREEMENT,CONTINUE READING ELSE IMMEDIATELY LEAVE THIS WEBSITE.

The story goes on..

Why not to start from my University website – www.ptu.ac.in  the old web portal was recently revamped and broken into multiple parts, with www.ptuexam.com responsible for storing the data of students. This DOT NET based website is quite insecure and even was near defaced recently and even an old veteran once commented on the status of website. I on  a lazy Saturday morning was trying to see my result when I got interested in the structure of website. “Poorly scripted” and “insecure” were the first words that blurted out from my mind.

PTU Website 
The login is given in the front with some interesting URL patterns. I decided to get my hands dirty and inspected the site by creating an error. It gave me a 404 error and I was able to deduce the server was a Microsoft one.Later I tried injecting “ asdx” ’” into username and password fields of form and I got a database error. Its vulnerable to SQL injections. I found an interesting URL -
http://www.ptuexam.com/Enquiry/WebMas_Adm_UniAdmProfile.asp?AdmID=
and upon experimenting I got multiple column names and usernames.

I got much much info from this site

I was even able to get server configuration,database names (500+ databases),table names and column names…
Microsoft SQL Server 2005 - 9.00.4053.00 (X64) May 26 2009 14:13:01 Copyright (c) 1988-2005 Microsoft Corporation Developer Edition (64-bit) on Windows NT 5.2 (Build 3790: Service Pack 2)
E555802-130167
And then..I got this..

just one of Usernames and passwords 
I got a username and password to login into the site..Just WHAT WERE THEY THINKING ?!!!! Also If one can try a bit harder once can *easily* gain Admin access to PTU website and wreak havoc. No..I didn't hack it.But I was tempted to,I had all the data. I m not  blackhat,but I m not a whitehat either. I idolize the_ut as my hero, his knowledge,ideology about the scene and his style,but hold him in contempt for his love for pure destruction.

Big question – why is it insecure ?
 
Bigger question – what if a capable hacker defaces it,drops all the tables there and plays with the future of students ?

*update* - Officials at PTU contacted me and their administrator met me personally. They had a look at all the findings and loopholes which I found and discussed to make a move at opensource . Looks like a nice start to me. Rest we shall see where it all goes . Greets go to Samandeep, Mr Amarjit Singh who did their best.

And this is only the beginning..Many University sites,government sites are easily hackable. Why don't they secure them is unanswered. The worst part is that all the so called Hacking Academies and Institutes which are teaching the basics of hacking make students practice on them. The vulnerable sites ? Lets have a look at them -

NIT KU
NIT Kurukshetra Website
 fiitjee
FIITJEE website is another offender

Seshadripuram Law college website and the trust’s website
Seshadripuram Law college website and the trust’s website

NISCAIR website
NISCAIR website…this one was even on youtube once
 Zee news Noida
Zee news Noida
 National Assessment and Accreditation Council of INDIA
National Assessment and Accreditation Council of INDIA
 93
93.5 red fm was virtually digitally raped before its overhaul..still not very safe
 dm
Official site of Dino Morea and site and even more..
Frankly speaking..Any sufficiently experienced technology enthusiastic can hack these websites in minutes. The security is zero and that's why we are behind in cyber subculture today. Folks..its time to wake up and make our sysadmins realize that the cyber scenario is quite advanced today and we are no match for the upcoming competition. We just cant let others to deface our resources, cant let them play with our future.
Time to get better and buckle up before someone performs a rm-rf on us. 

Hackers are here..Where are you ?

POSTED BY XERO ALL RIGHTS RESERVED.



3 comments:

  1. hey plz tell me how to hack ptuexam.com??
    i m try so much time sql injection but i m fail??

    ReplyDelete
  2.  bhai agar koi tarika mile toh mujhe bta dena :P pleeez

    ReplyDelete
  3. hack kr de bhai 1 baar
    fir hi inko kuch pta chalega____tere is blog ki SEO toh hai nahi
    koun PTU wala ise padde ga??____m tottaly frustrated with this uni.

    ReplyDelete

Need to say something ? Spell it out :)